Login Sign Up

CVE-2014-5044

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

Multiple integer overflow vulnerabilities in libgfortran (GNU Fortran runtime library) allow remote attackers to execute arbitrary code or cause denial of service via specially crafted Fortran array allocations. This affects any system running vulnerable Fortran applications that process untrusted input.

💻 Affected Systems

Products:
  • GCC (GNU Compiler Collection)
  • libgfortran
Versions: GCC versions before 4.8.3, 4.9.1, and earlier branches
Operating Systems: Linux, Unix-like systems, Any OS using vulnerable GCC/libgfortran
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications compiled with vulnerable GCC versions that use Fortran array allocation features.

📦 What is this software?

Libgfortran by Gnu

View all CVEs affecting Libgfortran →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Fortran application, potentially leading to full system compromise.

🟠

Likely Case

Denial of service through application crashes when processing malformed input.

🟢

If Mitigated

Limited impact if applications don't process untrusted input or have proper input validation.

🌐 Internet-Facing: MEDIUM - Risk depends on whether vulnerable Fortran applications are exposed to untrusted network input.
🏢 Internal Only: LOW - Most Fortran applications process trusted data internally.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof-of-concept code exists in security advisories. Exploitation requires crafting specific Fortran array allocation requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GCC 4.8.3, 4.9.1, or later

Vendor Advisory: https://gcc.gnu.org/viewcvs/gcc/trunk/libgfortran/ChangeLog?limit_changes=0&view=markup&pathrev=211721

Restart Required: Yes

Instructions:

1. Update GCC to version 4.8.3, 4.9.1 or later. 2. Recompile affected Fortran applications with the updated compiler. 3. Restart applications using the updated libraries.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation in Fortran applications to reject malformed array allocation requests.

Library Replacement

linux

Replace libgfortran with patched version without recompiling entire GCC toolchain.

yum update libgfortran
apt-get install libgfortran3

🧯 If You Can't Patch

  • Isolate vulnerable Fortran applications in restricted network segments
  • Implement strict input validation and sanitization for all Fortran application inputs

🔍 How to Verify

Check if Vulnerable:

Check GCC version: gcc --version | grep -E '4\.[0-7]|4\.8\.[0-2]|4\.9\.0'

Check Version:

gcc --version

Verify Fix Applied:

Verify GCC version is 4.8.3, 4.9.1 or later: gcc --version

📡 Detection & Monitoring

Log Indicators:

  • Fortran application crashes with segmentation faults
  • Unexpected termination of Fortran processes

Network Indicators:

  • Unusual network traffic to Fortran application ports
  • Repeated connection attempts with malformed data

SIEM Query:

process.name:"fortran_app" AND event.type:"crash" OR event.type:"segfault"

📊 Metadata

CVE ID: CVE-2014-5044
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: March 7, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-5044, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2018-20177 9.8

CVE-2018-20177 is a critical integer overflow vulnerability in rdesktop RDP client that leads to hea...

Same vulnerability type (CWE-190)
CVE-2018-5095 9.8

An integer overflow vulnerability in the Skia graphics library allows attackers to trigger use of un...

Same vulnerability type (CWE-190)